Tutorial on Model Checkingfmv.jku.at/biere/talks/Biere-AB08-talk.pdf · 2021. 1. 13. · VDM Formal...

Tutorial on Model CheckingModelling and Verification in Computer Science

Armin Biere

Institute for Formal Models and VerificationJohannes Kepler University

Linz, Austria

AB’08Algebraic Biology

Castle of Hagenberg, Austria

Friday, August 1, 2008

Origin of Computer Science 1

EngineeringMathematics

Natural Science

Computer Science

Tutorial on Model Checking – Algebraic Biology (AB’08) Armin Biere – FMV – JKU Linz

Models in Natural Science 2

18h

1x

2x

Reality

∆t∆

= α P(t)P(t)

P(t) C e tα=

growth of bakteria population

t= α P(t)P(t)

dd

Model

with solution

leads to differential equation

Modelling

Validation


Mathematical Models in Computer Science 3

• programs and other digital systems are formal objects

– they have precise mathematical models (denotational/operational)

– Reality = Model(modulo complex semantics, compiler bugs, hardware failure, . . .)

– properties of the models also hold in reality

• proving properties of models is difficult

– for Software in general undecidable

– for Hardware in NP or PSPACE

• only valid for functional properties , not for quantitative aspects

– availability, through put, latency, etc. are difficult to model precisely


Formal Methods in Computer Science 4

Formal

Synthesis

FormalVerification

Formal

Specification


Examples of Formal Methods 5

Synchronous

Theorem Proving

Compiler

Languages

B−Method

SDL

SAT

Equivalence

Model Checking

VDM

FormalSpecification

FormalVerification

Checking

UML

FormalSynthesis

ASMZ


What is Model Checking? 6

• mechanically check properties of models

• models:

– finite automata, labelled transition systems

– often requires automatic/manual abstraction techniques

• properties:

– only interested in partial properties

– specified in temporal logic: CTL, LTL, etc.

– safety: something bad should not happen

– liveness: something god should happen

• automatic generation of counterexamples


A Personal History of Model Checking 7

−Inductionk

ClarkeEmerson’82: Model Checking BiereCimattiClarkeZhu’99: Bounded Model Checking

DavisPutnam’60: DP

MoskewiczMadiganZhaoZhangMalik’01: CHAFF

Marques−SilvaSakallah’96: GRASP

Holzmann’91: SPIN

ClarkeGrumbergJahLuVeith’03: CEGAR

SheeranSinghStalmarck’00:

BallRajamani’01: SLAM

Peled’94: Partial−Order−Reduction

GrafSaidi’97: Predicate Abstraction

CoudertMadre’89: Symbolic Reachability

BurchClarkeMcMillanDillHwang’90: Symbolic Model Checking

DavisLogemannLoveland’62: DPLL

Bryant’86: BDDs

QuielleSifakis’82: Model Checking

Pnueli’77: Temporal Logic

Holzmann’81: On−The−Fly Reachability

McMillan’93: SMV

Kurshan’93: LocalizationEenBiere’05: SatELite

EenSorensson’03: MiniSAT

McMillan’03: Interpolation

BiereArthoSchuppan’01: Liveness2Safety


Reachability 8

• set of states S, initial states I, transition relation T

• bad states B reachable from I via T?

• symbolic representation of T (ciruit, program, parallel product)

– avoid explicit matrix representations, because of the

– state space explosion problem, e.g. n-bit counter: |T |= O(n), |S|= O(2n)

– makes reachability PSPACE complete [Savitch’70]

• on-the-fly [Holzmann’81’] for protocols

– restrict search to reachable states

– simulate and hash reached concrete states


Forward Fixpoint Algorithm: Initial and Bad States 9

I B


Forward Fixpoint Algorithm: Step 1 10

I B



I B


Forward Fixpoint Algorithm: Bad State Reached 13

I B


Forward Fixpoint Algorithm: Termination, No Bad State Reachable 14

I B


Forward Least Fixpoint Algorithm for Model Checking Safety 15

initial states I, transition relation T , bad states B

model-checkµforward (I, T, B)SC = /0; SN = I;while SC 6= SN do

if B∩SN 6= /0 thenreturn “found error trace to bad states”;

SC = SN;

SN = SC∪ Img(SC) ;done;return “no bad state reachable”;


Model Checking 16

• algorithms to check more general properties [ClarkeEmerson’82], [QuielleSifakis’82]

– uses temporal logic [Pnueli’77] as property specification language

– model checkers are usually fully automatic

linear vs. branching time formalisms (CTL vs LTL) was hotly debated

– either determine that property holds or . . .

– . . . provide counter example for debugging purposes

• originally explicit (as in SPIN [Holzmann’91])

– search works with concrete states,

– bottle neck: number of states, that have to be stored

– local (on-the-fly) and global algorithms (not on-the-fly)


Symbolic Model Checking 17

• work with symbolic representations of states

– symbolic representations are potentially exponentially more succinct

– favors BFS: next frontier set of states in BFS is calculated symbolically

• originally “symbolic” meant model checking with BDDs

[CoudertMadre’89/’90,BurchClarkeMcMillanDillHwang’90,McMillan’93]

• Binary Decision Diagrams [Bryant’86]

– canonical representation for boolean functions

– BDDs have fast operations (but image computation is expensive)

– often blow up in space

– restricted to hundreds of variables


Linear Size BDD for Bit-Vector Comparison 18

00

00

00

00 1

x

x2

2 2

x

x

y y

3

3 3

y y

y y

y y

1

1 1

0

0 0

boolean function/expression:

n−1̂

i=0xi = yi

interleaved variable order:

x3 > y3 > x2 > y2 > x1 > y1 > x0 > y0

comparison of two n-bit-vectors needs 3 ·n in-ner nodes for the interleaved variable order


Exponential BDD for Bit-Vector Comparison 19

missing edgeslead to 0

1

x3

x2

1x

x0

1x

x0x0x0

x2

1x

x0

1x

x0x0x0

y2 y2 y2 y2

y3y3y3 y3y3y3y3 y3 y3y3y3 y3y3y3y3 y3

y2 y2 y2 y2

y1 y1 y1y1

y0 y0


Unrolling of Forward Least Fixpoint Algorithm 20

0: continue? S0C 6= S0N ∃s0[I(s0)]

0: terminate? S0C = S0N ∀s0[¬I(s0)]

0: bad state? B∩S0N 6= /0 ∃s0[I(s0)∧B(s0)]

1: continue? S1C 6= S1N ∃s0,s1[I(s0)∧T (s0,s1)∧¬I(s1)]

1: terminate? S1C = S1N ∀s0,s1[I(s0)∧T (s0,s1)→ I(s1)]

1: bad state? B∩S1N 6= /0 ∃s0,s1[I(s0)∧T (s0,s1)∧B(s1)]

2: continue? S2C 6= S2N ∃s0,s1,s2[I(s0)∧T (s0,s1)∧T (s1,s2)∧

¬(I(s2)∨∃t0[I(t0)∧T (t0,s2)])]

2: terminate? S2C = S2N ∀s0,s1,s2[I(s0)∧T (s0,s1)∧T (s1,s2)→

I(s2)∨∃t0[I(t0)∧T (t0,s2)]]

2: bad state? B∩S1N 6= /0 ∃s0,s1,s2[I(s0)∧T (s0,s1)∧T (s1,s2)∧B(s2)]


Falsification Part of Fixpoint Algorithm 21

0: continue? S0C 6= S0N ∃s0[I(s0)]

0: terminate? S0C = S0N ∀s0[¬I(s0)]

0: bad state? B∩S0N 6= /0 ∃s0[I(s0)∧B(s0)]

1: continue? S1C 6= S1N ∃s0,s1[I(s0)∧T (s0,s1)∧¬I(s1)]

1: terminate? S1C = S1N ∀s0,s1[I(s0)∧T (s0,s1)→ I(s1)]

1: bad state? B∩S1N 6= /0 ∃s0,s1[I(s0)∧T (s0,s1)∧B(s1)]

2: continue? S2C 6= S2N ∃s0,s1,s2[I(s0)∧T (s0,s1)∧T (s1,s2)∧

¬(I(s2)∨∃t0[I(t0)∧T (t0,s2)])]

2: terminate? S2C = S2N ∀s0,s1,s2[I(s0)∧T (s0,s1)∧T (s1,s2)→

I(s2)∨∃t0[I(t0)∧T (t0,s2)]]

2: bad state? B∩S1N 6= /0 ∃s0,s1,s2[I(s0)∧T (s0,s1)∧T (s1,s2)∧B(s2)]


Bounded Model Checking (BMC) 22

[BiereCimattiClarkeZhu’99]

• look only for counter example made of k states (the bound)

∨ ∨ ∨ ∨p¬ p¬ p¬ p¬p¬0s s1 l+1s sksl

orp¬ p¬ p¬ p¬p¬

0s sls1 l+1s sk

• simple for safety properties p is invariantly true (e.g. p = ¬B)

I(s0) ∧ T (s0,s1))∧·· ·∧T (sk−1,sk) ∧k_

i=0¬p(si)

• harder for liveness properties p is eventually true

I(s0) ∧ T (s0,s1))∧·· ·∧T (sk−1,sk) ∧k̂

i=0¬p(si) ∧ ∃l T (sk,sl)


Bounded Model Checking (BMC) 23

[BiereCimattiClarkeZhu’99]

• look only for counter example made of k states (the bound)

∨ ∨ ∨ ∨p¬ p¬ p¬ p¬p¬0s s1 l+1s sksl

orp¬ p¬ p¬ p¬p¬

0s sls1 l+1s sk

• simple for safety properties p is invariantly true (e.g. p = ¬B)

I(s0) ∧ T (s0,s1))∧·· ·∧T (sk−1,sk) ∧k_

i=0¬p(si)

• harder for liveness properties p is eventually true

I(s0) ∧ T (s0,s1))∧·· ·∧T (sk−1,sk) ∧k̂

i=0¬p(si) ∧

k_l=0

T (sk,sl)


BMC with SAT 24

• satisfiability checking (SAT)

– of propositional/combinational problems (only boolean variables)

– actually restricted to conjunctive normal form (CNF)

– classical NP hard problem [Cook’71]

• key motivation of BMC

– leverage capacity of SAT solvers

– SAT solvers could handle 10000 variables in late 90’ties

– compared to hundreds of variables with BDDs

• key insight: trade capacity for completeness


Bounded Model Checking State-of-the-Art 25

• increase in efficiency of SAT solvers [ZChaff,MiniSAT,SatELite,PicoSAT]

• SAT more robust than BDDs in bug finding

(shallow bugs are easily reached by explicit model checking or testing)

• better unbounded but still SAT based model checking algorithms

– k-induction [SinghSheeranStalmarck’00]

– interpolation [McMillan’03]

• 4th Intl. Workshop on Bounded Model Checking (BMC’06)

• other logics beside LTL, better encodings, e.g. [LatvalaBiereHeljankoJuntilla’04]

• other system models, such as hybrid automata


Induction with SAT 26

[SinghSheeranStalmarck’00]

• more specifically k-induction

– does there exist k such that the following formula is unsatisfiable

B(s0)∧·· ·∧B(sk−1)∧T (s0,s1)∧·· ·∧T (sk−1,sk)∧B(sk)∧^

0≤i< j≤ksi 6= s j

– if unsatisfiable and ¬BMC(k) then bad state unreachable

• bound on k: length of longest cycle free path

• k = 0 check whether ¬B tautological (propositionally)

• k = 1 check whether ¬B inductive for T


A Short SAT Solver History 27

• Davis and Putnam procedure

– DP: elimination procedure [DavisPutnam’60]

– DPLL: splitting [DavisLogemannLoveland’62]

• modern SAT solvers are mostly based on DPLL

– learning: GRASP [MarquesSilvaSakallah’96], RelSAT [BayardoSchrag’97]

– watched literals, VSIDS: CHAFF [MoskewiczMadiganZhaoZhangMalik’01]

– improved heuristics: MiniSAT [EenSorensson’03] actually Version from 2005

• preprocessing is a hot topic:

– currently fastest solvers use SatELite style preprocessing [EenBiere’05] DP

• www.satcompetition.org since 2002


Cactus Plot for SAT’06 Race Instances 28

0

100

200

300

400

500

600

700

800

900

0 20 40 60 80 100

limmatnanosat

funexcompsat

booleforceminisat2007picosat2007picosat2008

picoprep2008


Interpolation 29

[McMillan’03]

• SAT based technique to overapproximate frontiers Img(SC)

– currently most effective technique to show that bad states are unreachable

– better than BDDs and k-induction in most cases [HWMCC’07]

• starts from a resolution proof refutation of a BMC problem with bound k +1

SC(s0)∧T (s0,s1)∧T (s1,s2)∧·· ·∧T (sk,sk+1)∧B(sk+1)

– result is a characteristic function f (s1) over variables of the second state s1

– these states do not reach the bad state sk+1 in k steps

– any state reachable from SC satisfies f : SC(s0)∧T (s0,s1)⇒ f (s1)

• k is bounded by the diameter (exponentially smaller than longest cycle free path)


Longest Shortest Path vs Diameter 30

0

1 2 4 −1n n3

length of longest shortest path O(n)

diameter O(1)


Challenges I 31

• further convergence between theorem proving and model checking

– as pioneered by SLAM [BallRajamani’01] using

∗ predicate abstraction [GrafSaidi’97] and

∗ counter example guided abstraction refinement [ClarkeGrumbergJahLuVeith’03]

– handle large software and hardware systems precisely

– automate compositional reasoning, e.g. alias analysis

• improve Satisfiability Modulo Theory (SMT) procedures

– What is the right way to handle bit-vectors, arrays?

– Quantifiers, interpolation for bit-vectors and arrays?


Challenges II 32

• Satisfiability Solver (SAT) (standard NP hard problem)

– improve heuristics, remove magic constants

– more aggresive incremental preprocessing

– effective incorporation of more powerful reasoning engines

• Quantified Boolean Formulas (QBF) (standard PSPACE hard problem)

– new paradigms?

– improve capacity and effectively apply QBF to real problems

• and do not forget testing, debugging, simulation


Introductory Material on General Model Checking 33

• Edmund M. Clarke, Orna Grumberg, and Doron Peled.Model Checking.MIT press, 1999.

• Gerard Holzmann.The SPIN Model Checker.Addison Wesley, 2004.

• Helmut Veith and Orna Grumberg, editors.25 Years of Model Checking, volume 5000 of LNCS. Springer, 2008.


Surveys on SAT based Model Checking 34

• Mukul Prasad, Armin Biere, and Aarti Gupta.A survey on recent advances in SAT-based formal verification.Software Tools for Technology Transfer (STTT), 7(2), 2005.

• Armin Biere.Bounded Model Checking.In Armin Biere, Marijn Heule, Hans van Maaren, and Toby Walsh, editors,Handbook of Satisfiability,To be published by IOS Press.


Tutorial on Model Checkingfmv.jku.at/biere/talks/Biere-AB08-talk.pdf · 2021. 1. 13. · VDM Formal...

Documents

Transcript of Tutorial on Model Checkingfmv.jku.at/biere/talks/Biere-AB08-talk.pdf · 2021. 1. 13. · VDM Formal...